Filed under: HW hacking

The spanish Ya.com ADSL connection comes with an ARV4518PW modem/router/access point. It looks like this:

Unfortunately, the router configuration forces you to have an ADSL username ending in a domain like @yacomadsl, @orange, or a few other pre-defined domains. This is to prevent you from using the router with another ADSL provider. But, heck! We don’t like these kind of boundaries, let’s tear them down!

Luckily for us, the router web gui does not implement any input validation. Here follows the procedure to input an arbitrary ADSL username.

Settings

These are some numbers appearing on the back of the router:

Model Name: ARV4518PW

HW Version: R01A

Astoria networks

Production date: 04/2010

This applies for firmware version 0.10.016. It could work as well for older firmwares. You can check your firmware version in the Status page.

The Quick way

You may want to reset the router: while it’s turned on, press the reset button for 5 seconds.

Log in the web gui. This is usually http://192.168.2.1 and the default password is admin

From the same computer you logged in, set these variables with proper values (I’m assuming a bash shell):

Go to http://192.168.2.1/wait0.stm and check your data, then click on Finish. The router will reboot.

Go to http://192.168.2.1 and log in, click on status to check that everything is working properly. After a bunch of seconds, you should see ADSL: CONNECTED. Cool! You can go through the menu to configure the router. I’d recommend to disable the built-in firewall because it causes problems with P2P traffic.

The classy way (installing OpenWRT)

As you have noticed, this is a tricky workaround. But your router can give you much more! You can install the OpenWRT firmware that lets you do more stuff. Unfortunately, you need to open its case, connect through a serial port and a converter, and upload the firmware. Information about the OpenWRT support of this modem can be found on the OpenWRT Wiki and detailed instructions to install it are here (first post, spanish) and here (spanish).

Explanation / troubleshooting

How did the trick work? Point is, the web gui forces you to set a domain for the username (click on “Setup Wizard”). This is chosen from a drop-down menu. Have a look at the HTML source, the drop-down menu is as follows:

Each domain corresponds to a value (an integer from 0 to 7) the variable ISP_Username_Domain can assume. And a gui that does input validation should check that the value passed by the browser falls in that range. Luckily for us, it doesn’t. So what happens if we pass values like 8, -1, 18, 20? Weird strings, taken from somewhere into the router’s memory, are appended to the username. Of course, if one of this values appends the empty string, we win: the username we pass will not be modified in any way.

Here are a few values not in the range [0,7] and how the username “billgates” gets modified: